Check that we have enough padding characters.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
CVE-2016-2107
MR: #2572
(cherry-picked from commit 4159f311671cf3bac03815e5de44681eb758304a)
Bug: 28550804
Change-Id: Ia43cfe32f8930112eb38dbef614c96db43b30c27
diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
index fb2c884..8476d74 100644
--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -59,6 +59,7 @@
#include <openssl/aes.h>
#include <openssl/sha.h>
#include "evp_locl.h"
+#include "constant_time_locl.h"
#ifndef EVP_CIPH_FLAG_AEAD_CIPHER
#define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
@@ -278,6 +279,8 @@
maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
maxpad &= 255;
+ ret &= constant_time_ge(maxpad, pad);
+
inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
inp_len &= mask;